Intended functionality of GET /account/sub

joshuajung · December 17, 2019, 3:31pm

In our office, we’re using Nuki Web with three admin users. All have full admin rights. All three can see the same locks in the web interface, so they seem to be in the same “tenant”, “instance”, or however you may call it.

However, when using https://web.nuki.io/de/#/admin/rights or going straight to the GET /account/sub API, we’re seeing a strange situation:

User A can see all three users
User B can only see users B and C
User C can only see users B and C

I would expect all users to see all others, and also being able to delete each other. Do I have a wrong understanding of the account architecture?

Happy to provide account IDs if that helps. Thanks a lot!

Stephan · December 17, 2019, 4:00pm

When creating a Nuki Web account the first user will be the administrator of this he count.
This user can then create sub-accounts for Nuki Web which can also be created with full admin rights or restricted scopes.
The user rights of the main account can not be restricted and this account can also not be deleted as long as sub-accounts are existing. But it is still available in Get /account/ (and editable via POST /account/)

Similarly sub-accounts can not change settings for the main administrator in Nuki Web: https://web.nuki.io/de/#/admin/rights

joshuajung · December 17, 2019, 4:57pm

Thanks a lot @MatthiasK, seems to be working as designed then.